Hey FanJ what is going on here Looks like these guys are coming in an Army supporting one another.
Any thought?

____________________
New form of massive attacks through troyanos
http://www.vsantivirus.com/13-11-02.htm

By VSAntivirus Writing
vsantivirus@videosoft.net.uy

The MessageLabs company, informed yesterday, to have intercepted a great amount of messages with the massive shipment of a troyano, known like W32/Maz.A, Tr/Mastaz, Troj/Inor.A, Downloader-BO, etc.

The extension of this threat, suggests them infected machines can be used in some class of attacks coordinated in great scale (the description of this troyano, as well as the one of a second that is unloaded and executed soon by first, in the connections at the end of the article).

The details (to the date) contributed by MessageLabs are the following ones:
Number of intercepted copies (to 12/nov/02): 615 First intercepted message: 10/nov/02, 14:58 GMT Origin of the first message: United Kingdom Amount of countries in which it has been reported like assets: 32 Percentage by countries (the 5 with more incidences) the United States...... 60.7 % Canada.............. 9.3% Korea South del....... 5.0% Great Britain........ 3.2% Mexico.............. 2,1%
This troyano is connected to an Internet address, from where unloading and executes another troyano. Although until the moment a single type of troyano unloaded has been seen by first (Jeem.A), nothing guarantees that the same one cannot be updated by another version, perhaps more destructive.

At the moment, the unloaded troyano turns to the infected computer a servant of mail smtp, allowing him the attacker to send mail through him, and what is more worrisome, it can be used to send as well to the first troyano in massive form, with the multiplying effect that it means.

The analysis of MessageLabs, would indicate that the first big wave of troyanos was used to create new airdrop platforms to send after all the process, new messages infected with the first troyano.

The original troyano does not have routines of propagation, single unloading and executes to the second troyano, which can become servant smtp to send as well, the messages infected to other users. The process is controlled by one or several attackers in remote form.

The possibility does not discard that also has been sent hundreds of messages with the first troyano through servants who accept to give mail of other dominions (they open relay).

The alert of MessageLabs comes by the fact that or the attackers, would be creating a species of army of troyanos, which could use for another class of attacks (single it is necessary to change the second unloaded troyano to modify the type of attack).

In first intercepted copies the message presented/displayed some deficiencies surely due to the program used for the first massive shipment. There am an example here:

This troyano, tablet with tool UPX, is unloaded by the troyano " Inor.A " of a site of Internet, and copied in the computer infected with the name of OUTPUT.EXE .

This file soon is executed by the same troyano that unloaded it (Inor).

When it happens, the troyano with backdoor characteristics, copy to if same in the directory System of Windows with the name of MSREXE.EXE :
C:\Windows\System\Msrexe.exe

' C:\Windows\System' can vary according to the installed operating system (with that name by defect in Windows 9x/ME, like ' C:\WinNT\System32 ' in Windows NT/2000 and ' C:\Windows\System32 ' in Windows XP).

The troyano remains then in memory, and opens ports 4668, 5262 and 6079 .

Using port TCP 4668 , it forms to the equipment infected like a servant smtp. This allows the attacker to send electronic mail to the infected computer, and to use it to reenviar its own mail (like a servant smtp of a supplier anyone).

In order to make sure that file MSREXE.EXE is executed in each resumption of Windows, the following entrance in the registry is created:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Service System = C:\Windows\System\Msrexe.exe

This troyano, tablet with utility UPX, propagates as attached to a sent electronic message in intentional form. Once executed, the troyano remains in memory and tries to connect itself to a certain site to unload and to execute another troyano.

This single one is an example, since the message can be modified by its sender.

When the troyano is executed (when opening and executing the user the associate), the same one tries to unload a file COUNTER.C of a site provided with accomodations in "hypermart.net".

Once unloaded, COUNTER.C is recorded in the present folder with name OUTPUT.EXE .

OUTPUT.EXE is detected by most of the antivirus like " Jeem.A ".

If it fails the unloading, the troyano "Inor.A" modifies the registry, creating the following entrance, which will allow its execution in automatic form in each resumption of the system, reintentando the COUNTER.C unloading.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
inr\5Nzg1mOWKzFnuvu6 = [ name and way of the troyano ]

When the COUNTER.C unloading is made successfully, the troyano creates the following entrance in the registry:

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Restart the computer in Safe mode.
3. Run a full system scan, and delete all files that are detected as Downloader.BO or Backdoor.Trojan.
4. Reverse the changes that the Trojan made to the registry.

To reverse the changes that the Trojan made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key: